Research carried out by a German cryptography team found that a flaw in how the app interacts with WhatsApp's severs, controlled by Facebook, allows anyone with access to those servers to easily insert new people into a private group chat.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", Paul Rösler, one of the Ruhr University researchers behind the new finds, told Wired. And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature known as a "group invite link" that allows anyone to join a group simply by clicking on a URL.
The research says that the app does not use any authentication to check administrator's invitations to group chats. Whenever a new member is to be added, the administrator first sends a request to the WhatsApp server with the ID of the new member that it wants to add.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages. However, users still get a notification of a new member joining. According to them, in comparison to Signal and Threema, WhatsApp has a higher security risk.
Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!"
We've looked at this issue carefully. The new feature will allow the admin to demote his fellow without removing him from the group.
It's not a problem that will impact most users, but chat apps like Signal and WhatsApp have been used for private conversations from everyone ranging from politicians to government dissenters. These messages use regular encryption and thus can be cracked and spoofed if someone takes control of a WhatsApp server. Typical group chats are managed by one person who is identified as the administrator of the chat.
WhatsApp noted that group members could view the other members of the group by tapping on "group info", though the security flaw would mean that encryption would not protect WhatsApp users who have not checked this and are therefore unaware that their group has been infiltrated.
WhatsApp rolled out the mentions feature for its users back in 2016 in an attempt to improve the overall experience of the users. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted'.